I tried to use SSL by Node.js but it doesn't work because permission denied.
try {
var TLSoptions = {
key: fs.readFileSync("/etc/letsencrypt/live/domain.work/privkey.pem"),
cert: fs.readFileSync("/etc/letsencrypt/live/domain.work/cert.pem")
};
https.createServer(TLSoptions, app).listen(port, host, function() {
console.log("TLS Website started.")
}); catch(e) {
console.log(e)
}
=>
{ Error: EACCES: permission denied, open '/etc/letsencrypt/live/domain.work/privkey.pem'
at Object.fs.openSync (fs.js:663:18)
... (Librarys dump)
errno: -13,
code: 'EACCES',
syscall: 'open',
path: '/etc/letsencrypt/live/domain.work/privkey.pem' }
So I tried re-make files of *.pem.
rm -f /etc/letsencrypt/live
rm -f /etc/letsencrypt/archive
rm -f /etc/letsencrypt/renewal
sudo ./letsencrypt-auto certonly -a standalone -d domain.work
and check file authority.
/etc/letsencrypt/live/domain.work$ ls -lsa
total 12
4 drwxr-xr-x 2 root root 4096 Jan 3 21:56 .
4 drwx------ 3 root root 4096 Jan 3 21:56 ..
0 lrwxrwxrwx 1 root root 37 Jan 3 21:56 cert.pem ->
../../archive/domain.work/cert1.pem
0 lrwxrwxrwx 1 root root 38 Jan 3 21:56 chain.pem ->
../../archive/domain.work/chain1.pem
0 lrwxrwxrwx 1 root root 42 Jan 3 21:56 fullchain.pem ->
../../archive/domain.work/fullchain1.pem
0 lrwxrwxrwx 1 root root 40 Jan 3 21:56 privkey.pem ->
../../archive/domain.work/privkey1.pem
/etc/letsencrypt/archive/domain.work$ ls -lsa
total 24
4 drwxr-xr-x 2 root root 4096 Jan 3 21:56 .
4 drwx------ 3 root root 4096 Jan 3 21:56 ..
4 -rw-r--r-- 1 root root 1789 Jan 3 21:56 cert1.pem
4 -rw-r--r-- 1 root root 1647 Jan 3 21:56 chain1.pem
4 -rw-r--r-- 1 root root 3436 Jan 3 21:56 fullchain1.pem
4 -rw-r--r-- 1 root root 1708 Jan 3 21:56 privkey1.pem
but It is not resolved and I cannot find any mistakes and problems.
How to resolve this problem?
When you use sudo to issue the certificates, they will be owned by root.
Since node is not run as root, and the permissions on the certificate folder do not allow them to be opened by anyone except the owner, your node app cannot see them.
To understand the solution, let us assume node is running as the user nodeuser
You can get your user on ubuntu by using : whoami or ps aux | grep node
Solution #1 (temporary):
You could switch the owner of the certificates to your node user.
$ sudo chown nodeuser -R /etc/letsencrypt
However, this may break any other items that look at the cert, such as Nginx or Apache.
It will also only last till your next update, which is no more than 90 days.
On the other hand, whatever script you have that renews the cert can also set the owner.
Solution #2 (do not do this):
Run node as root.
sudo node index.js
This will run node as a root user, which means that the terribly insecure surface of node can access everything on your system. Please don't do this.
Solution #3 (do not do this either):
Open the certificates to everyone.
The certificates are stored in /etc/letsencrypt/archive/${domain}/cert1.pem, and are linked to from /etc/letsencrypt/live/${domain}/cert1.pem.
All folders in both of these paths are +x, meaning that all users on the system can open the folders, with the exception of the "live" and "archive" folders themselves.
You can make those open as well by changing their permissions.
$ sudo chmod +x /etc/letsencrypt/live
$ sudo chmod +x /etc/letsencrypt/archive
This is bad as it allows access from other unexpected sources. Generally opening folders to everyone is a bad idea.
Solution #4 (do this):
On the other hand, you can create a limited group, and allow the permissions to only be opened for them.
// Create group with root and nodeuser as members
$ sudo addgroup nodecert
$ sudo adduser nodeuser nodecert
$ sudo adduser root nodecert
// Make the relevant letsencrypt folders owned by said group.
$ sudo chgrp -R nodecert /etc/letsencrypt/live
$ sudo chgrp -R nodecert /etc/letsencrypt/archive
// Allow group to open relevant folders
$ sudo chmod -R 750 /etc/letsencrypt/live
$ sudo chmod -R 750 /etc/letsencrypt/archive
That should allow node to access the folders with the certs, while not opening it to anyone else.
You should then reboot or at least logout and in after these changes.
(Many changes to permission and groups require a new session, and we had issues with PM2 until reboot.)
On ec2 instance you can do sudo reboot.
Should something go wrong and you want to revert to original settings follow this
// Delete Group
$ sudo groupdel nodecert
// Reset Permission
$ sudo chown -R :root /etc/letsencrypt/live
$ sudo chown -R :root /etc/letsencrypt/archive
// Check Permissions
$ sudo ll /etc/letsencrypt/
I'm not familiar with Node.js, but it's clearly the same permissions problem as with PostgreSQL. So the same solution should work fine. This allows you to leave the permissions on /etc/letsencrypt as they are :
copy the certificates to your Node.js directory
chown the copied files to your "node" user
You can have a script doing that in /etc/letsencrypt/renewal-hooks/deploy which will be called everytime you renew your certificates.
Example /etc/letsencrypt/renewal-hooks/deploy/10-certbot-copy-certs :
#!/bin/bash
domain=domain.work # using your example name
node_dir=/path/to/cert_copies
node_user=nodeuser
cp /etc/letsencrypt/live/$domain/{fullchain,privkey}.pem "$node_dir"/
chown $node_user "$node_dir"/*.pem
This worked for me:
Copy all pem files that you need into the root folder of your project:
sudo cp /etc/letsencrypt/live/www.your-domain.com/privkey.pem /home/your-username/your-server-directory/privkey.pem
Read the files like so:
.createServer(
{
key: fs.readFileSync("privkey.pem"),
cert: fs.readFileSync("cert.pem"),
},
Grant permissions:
sudo chown your-username -R privkey.pem
I was using ec2-user on Amazon Linux 2 instance and had the same problem. This worked for me:
sudo chown ec2-user -R /etc/letsencrypt
The above top answer by #SamGoody didn't work for me since it didn't set all the group permissions. It worked after I setup the nodecert group as he suggested like this
$ sudo addgroup nodecert
$ sudo adduser nodeuser nodecert
$ sudo adduser root nodecert
and then did
$ sudo nautilus
and clicked down to /etc/letsencrypt then right clicked "Properties" and changed the group permissions manually to nodecert "Access files" in the following two folders and their domain name subfolders
/etc/letsencrypt/live
/etc/letsencrypt/archive
Also changed group permissions manually to nodecert "Read-only" for all contained files and symlinks.
Related
I can't change a directory's owner even if I'm root.
I want to build a NAS by using raspberry 3B+.
So I have created a user named dorm.
Then I changed sshd_file in order to restrict SFTP users(dorm) to
only visit his home directories
Now the user(dorm) doesn't have the write permission. So After I
google it,I should mkdir a 777 directory at /home/dorm/ .So I made it by root.
Then I wanna change its owner by chown -R dorm:dorm
/home/dorm/Documents. I failed.
Maybe its best to remove the user and try again, this is what I did to make it work.
log into newly setup raspberry pi as pi user, only default logins exist.
pi#raspberrypi:~ $ whoami
pi
pi#raspberrypi:~ $ lslogins -u
UID USER PROC PWD-LOCK PWD-DENY LAST-LOGIN GECOS
0 root 84 root
1000 pi 5 15:31 ,,,
add new user dorm
$ sudo adduser dorm
Adding user `dorm' ...
Adding new group `dorm' (1001) ...
Adding new user `dorm' (1001) with group `dorm' ...
Creating home directory `/home/dorm' ...
Copying files from `/etc/skel' ...
New password:
Retype new password:
passwd: password updated successfully
Changing the user information for dorm
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n] y
pi#raspberrypi:~ $ lslogins -u
UID USER PROC PWD-LOCK PWD-DENY LAST-LOGIN GECOS
0 root 87 root
1000 pi 5 15:31 ,,,
1001 dorm 0 ,,,
make a backup and edit your sshd_config file,
pi#raspberrypi:~ $ sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config-bak
pi#raspberrypi:~ $ sudo vim /etc/ssh/sshd_config
pi#raspberrypi:~ $ diff /etc/ssh/sshd_config /etc/ssh/sshd_config-bak
122,128d121
<
< Match User dorm
< X11Forwarding no
< AllowTcpForwarding no
< PermitTTY no
< ForceCommand internal-sftp
< ChrootDirectory /home/dorm
restart ssh service with sudo service sshd restart
change the ownership of the dorm home directory to root.
$ sudo chown root:root /home/dorm
$ sudo chmod 755 /home/dorm
from the dorm user's directory use sudo as the pi user to create the Documents folder and give ownership to the dorm user
pi#raspberrypi:/home/dorm $ ls
pi#raspberrypi:/home/dorm $ mkdir Documents
mkdir: cannot create directory ‘Documents’: Permission denied
pi#raspberrypi:/home/dorm $ sudo mkdir Documents
pi#raspberrypi:/home/dorm $ ls -l
total 4
drwxr-xr-x 2 root root 4096 Feb 8 18:15 Documents
pi#raspberrypi:/home/dorm $ sudo chown -R dorm:dorm Documents
pi#raspberrypi:/home/dorm $ ls -l
total 4
drwxr-xr-x 2 dorm dorm 4096 Feb 8 18:15 Documents
test the connection etc. using your IP address from your host computer (ssh should reply No route to host)
$ sftp dorm#<IP>
dorm#<IP>'s password:
Connected to dorm#<IP>.
sftp>
you can see the created Documents folder and the user number that owns it (dorm's number)
sftp> ls -ltr
drwxr-xr-x 2 1001 1001 4096 Feb 8 18:15 Documents
you can't move out of the base directory
sftp> pwd
Remote working directory: /
sftp> cd ..
sftp> pwd
Remote working directory: /
you can't put files in the base directory as dorm doesn't have permissions. (file path will need to be altered for your system)
sftp> put /Users/<USER>/tmp
Uploading /Users/<USER>/tmp to /tmp
remote open("/tmp"): Permission denied
if you move into Documents then you can then upload files
sftp> cd Documents
sftp> put /Users/<USER>/tmp
Uploading /Users/<USER>/tmp to /Documents/tmp
/Users/<USER>/tmp 100% 0 0.0KB/s 00:00
here is ls -ld folder_in_question on a host:
lrwxrwxrwx 1 xxx xxx 22 ноя 11 06:40 ../doc -> /mnt/nfs/2600/data/doc
here is ls -ld folder_in_question on from a container:
drwxrwxr-x 3 1002 1002 4096 Nov 11 03:31 /home/xxx/data
I can create and edit files from host, yet when I try say
FROM openjdk:9-jre-slim
#...
RUN adduser --disabled-password --gecos '' xxx
RUN mkdir /home/xxx/data
RUN chown -R xxx:xxx /home/xxx/data
#...
CMD echo "hello" >> /home/xxx/data/test
and run container from my user (as well as from root, default) I get:
sudo docker run -u xxx -it -v /home/xxx/doc:/home/xxx/data x/o:latest
/bin/sh: 1: cannot create /home/xxx/data/test: Permission denied
Same happens if I provide direct path to Docker -v.
How such problem can be solved, what steps shall I take?
i have a folder which contain uploaded file. for example /var/www/app/storage/public :
ls -al /var/www/app/storage/public
-rw-r--r-- 1 www-data www-data 835870 Aug 22 13:42 8b4c4e2a3d64.pdf
-rw-r--r-- 1 www-data www-data 835870 Aug 22 13:24 3d326ab2b3bc.pdf
I want to make a script to clean up that directory without using root user. What should i do if i want to delete those files using ordinary user like sanders so i can do something like:
sanders#localhost:~$ rm -rf /var/www/app/storage/public
Thank you :)
You will have to add this user to your "www-data" group:
sudo usermod -a -G www-data sanders
Then, make sure your folders have the correct group permissions:
sudo chgrp -R www-data /var/www/app/storage/public
sudo chmod -R g+w /var/www/app/storage/public
I'm not using SELinux, and still I can't get the apache user to create files in my cache storage directory. Can this work without using chown to change the user to the actual apache user?
[root#server live_storage]# getenforce
Disabled
[root#server live_storage]# su -s /bin/bash -c 'touch /home/admin/live_storage/c50d02d942c0a3d.cache' apache
touch: cannot touch ‘/home/admin/live_storage/c50d02d942c0a3d.cache’:
Permission denied
[root#server admin]# ls -lsa
total 84
4 drwx------. 10 admin admin 4096 24 mei 10:32 .
4 drwxr-xr-x. 3 root root 4096 9 mei 11:12 ..
4 drwxrwxrwx 3 admin admin 4096 24 mei 10:33 live_storage
[admin#server live_storage]$ touch '/home/admin/live_storage/c50d02d942c0a3d.cache'
[admin#server live_storage]$ ls '/home/admin/live_storage/c50d02d942c0a3d.cache'
/home/admin/live_storage/c50d02d942c0a3d.cache
Figured it out. Apache didn't have execute rights on the /home/admin directory. chmod +x /home/admin fixed the problem
I am configuring hadoop on Ubuntu os. I need to create RSA key pair to allow hadoop to interact with its nodes, so i running this command:
hadoop#ubuntu:~$ ssh-keygen -t rsa -P ""
then I get this:
Generating public/private rsa key pair.
Enter file in which to save the key (/home/hadoop/.ssh/id_rsa):
Could not create directory '/home/hadoop/.ssh': permission denied.
Enter passphrase (empty for no passphrase ):
Enter same passphrase again:
open /home/hadoop/.ssh/id_rsa failed: No such file or directory.
Saving the key failed: /home/hadoop/.ssh/id_rsa.
Forgot to create .ssh dir in your home?
Try that:
mkdir -p ~/.ssh
then re-run ssh-keygen.
Also possibly you doing ssh-keys creation from wrong user.. You started that shell using sudo?
Try to set HOME dir manually or enter right path in prompt.
check your home directory name and permissions
echo $HOME
cd ~ ; ls -l
ls -l .ssh
ls -lR .ssh
if above output is OK and you have correct permissions, perhaps your quota is full
try with "sudo" and see what happens...
Seems like current user doesn't own the contents under home directory.
Gain the ownership as shown as below:
admin#mydb22-02:~$ sudo chown admin.admin /home/admin/
admin#mydb22-02:~$ ls -la
total 32
drwxr-xr-x 2 admin admin 4096 Nov 3 23:29 .
drwxr-xr-x 3 admin admin 4096 Dec 23 2012 ..
-rw------- 1 admin admin 191 Feb 13 2013 .bash_history
-rw-r--r-- 1 admin admin 220 Apr 3 2012 .bash_logout
-rw-r--r-- 1 admin admin 3486 Apr 3 2012 .bashrc
-rw-r--r-- 1 admin admin 675 Apr 3 2012 .profile
-rw-r--r-- 1 admin admin 0 Nov 3 23:29 .sudo_as_admin_successful
-rw------- 1 admin admin 4221 Nov 3 20:31 .viminfo
generating keys would work now as .ssh directory will now be created and owned by current user after generating the assymetric keys
I have spent arround 1 hr on this and finally got the solution. It is due to permission problem. You have to use chown for your 'hadoop user'.
1. First make hadoop directory.
cd /home
mkdir hadoop
then check 'ls -l'. it gives result like :
drwxr-xr-x 2 hadoop hadoop 4096 Aug 22 22:17 hadoop
2. sudo chown hadoop.hadoop /home/hadoop/
3. Then run remaining command for key generater.